achieve regulatory compliance and defend against … · datasheet big-ip application security...
TRANSCRIPT
What’s Inside:
2 Built-inComplianceCapabilities
3 ComprehensiveAttackProtection
5 PolicyControl
6 IntegrationforAgilityandAdaptability
8 TheBIG-IPASMArchitecture
9 F5Services
9 MoreInformation
DATASHEET
AchieveRegulatoryComplianceandDefendAgainstAttacksAsmoreapplicationtrafficmovesovertheweb,sensitivedataisexposedtotheft,securityvulnerabilities,andattacks,especiallyattheapplicationlayer.F5BIG-IP®ApplicationSecurityManager™(ASM)isanadvancedwebapplicationfirewallthatsignificantlyreducesandmitigatestheriskoflossordamagetodata,intellectualproperty,andwebapplications.BIG-IPASMprovidesunmatchedapplicationandwebsiteprotection,acompleteattackexpertsystem,andcomplianceforkeyregulatorymandates—allonaplatformthatconsolidatesapplicationdeliverywithnetworkandapplicationaccelerationandoptimization.
Theresultistheindustry’smostcomprehensivewebapplicationsecurityandapplicationintegritysolution.Theaward-winningBIG-IPASMsolutionprotectsyourorganizationanditsreputationbymaintainingtheconfidentiality,availability,andperformanceoftheapplicationsthatarecriticaltoyourbusiness.
BIG-IPApplicationSecurityManager
1
Key benefits
Reduce costs and enable compliance Achievesecuritystandardscompliancewithbuilt-inapplicationsecurityprotection.
Ensure app security and availability GetcomprehensiveattackprotectionfromDDoS,layer7DoS,bruteforce,XSS,SQLinjection,OWASPTopTen,andmore.
Get out-of-the-box app security policies Provideprotectionwithpre-builtrapiddeploymentpoliciesandminimalconfiguration.
Improve app security and performance Enableadvancedapplicationsecuritywhileacceleratingperformanceandimprovingcosteffectiveness.
Handle threats with greater agility Focusonfastapplicationdevelopmentanddeploymentwithautomaticsecuritypolicies.
DATASHEET BIG-IP Application Security Manager
2
PCI reporting specifies which requirements are being met as well as steps required to become compliant.
Built-in Compliance Capabilities
Advanced,built-insecurityprotectionandremoteauditinghelpyourorganizationcomplywithindustrysecuritystandards,includingPaymentCardIndustryDataSecurityStandard(PCIDSS),HIPAA,BaselII,andSOX,inacost-effectiveway—withoutrequiringmultipleappliances,applicationchanges,orrewrites.BIG-IPASMreportspreviouslyunknownthreats,suchaslayer7denial-of-service(DoS)andSQLinjectionattacks,anditmitigateswebapplicationthreatstoshieldtheorganizationfromdatabreaches.AllreportsareGUI-drivenandprovidedrill-downoptionswithaclick.
PCI reporting
WithPCIreporting,BIG-IPASMlistssecuritymeasuresrequiredbyPCIDSS1.2,determinesifcomplianceisbeingmet,anddetailsstepsrequiredtobecomecompliantifnot.
Geolocation reporting
Geolocationreportinginformsyouofthecountrywherethreatsoriginateinadditiontoattacktype,violation,URL,IPaddress,severity,andmore.Youcanalsoschedulereportstobesenttoadesignatedemailaddressautomaticallyforup-to-datereporting.
1 “Data breach costs rise as firms brace for next loss,” Robert Westervelt, SearchSecurity.com.
According to the Web Application Security Consortium 96.85% of websites have vulnerabilities providing immediate risk of attack while 69.37% of the vulnerabilities are client-side. As more applications move to the web, data breach from web applications is a real concern. Once a breach occurs, the Ponemon Institute estimates the total average costs of a data breach is $202 per record compromised and $225 for malicious insiders or former workers.1
DATASHEET BIG-IP Application Security Manager
3
Easy-to-read format for remote auditing
BIG-IPASMmakessecuritycomplianceeasierandsavesvaluableITtimebyexportingpoliciesinhumanreadableformat.Theflat,readableXMLfileformatenablesauditorstoviewthepoliciesoffsite.Auditorsworkingremotelycanview,select,review,andtestpolicieswithoutrequiringtimeandsupportfromthewebapplicationsecurityadministrator.
Comprehensive Attack Protection
Keepinguptodateonthelargeamountofsecurityattacksandprotectionmeasurescanbeachallengeforadministratorsandsecurityteams.Informationoverloadandincreasinglysophisticatedattacksaddtothedifficulty.BIG-IPASMdeliverscomprehensiveandcost-effectiveprotectionforwebapplicationswhileimprovingmanageabilityforadministrators.
Advanced enforcement
BIG-IPASMcansecureanyparameterfromclient-sidemanipulationandvalidatelog-onparametersandapplicationflowtopreventforcefulbrowsingandlogicalflaws.
HTTPparameterpollution(HPP)attacksareillegalrequestswiththeURLseparatedwithillegalparameterstobypassapplicationsecurity.BIG-IPASMrecognizestheseattacksandblockstheserequests,providinggranularattackprotection.
BIG-IPASMalsoprotectsagainstlayer7DoS,SQLinjection,cross-sitescripting(XSS),bruteforce,andzero-daywebapplicationattacks.Inaddition,BIG-IPASMprotectsagainstOWASPTopTen2applicationsecurityrisks.Forexample,CrossSiteRequestForgery,an
With attacks coming from around the world, geolocation reporting helps you identify where threats originate.
2 To read the OWASP Top Ten for BIG-IP ASM, contact your F5 representative.
DATASHEET BIG-IP Application Security Manager
4
The attack expert system provides detailed descriptions of detected attacks.
According to the September 2009 SANS Report, 60 percent of all attacks occur on web applications and more than 80 percent of vulnerabilities are in web applications—mostly SQL injection and XSS.
OWASPTopFiveattack,forcesavictim’sbrowsertosendastealthvalidrequesttoatrustedwebsiteinwhichthevictimhasavalidsession.Attackersexecutefraudulenttransactions,suchasfundtransfers,anditishardforvictimstoprovetheydidnotexecutetherequest.BIG-IPASMmitigatesthoseattacksandprotectsapplicationswitheasycheckboxenablement.
Attack expert system
Asthreatsgrowinnumberandcomplexity,theintegratedandcomprehensiveattackexpertsystemprovidesanimmediate,detaileddescriptionoftheattack,aswellasenhancedvisibilityintothemitigationtechniquesusedbyBIG-IPASMtodetectandpreventtheattack.
Theattackexpertsystembridgesthegapbetweenthenetworkandtheapplicationteam,educatingtheadministratoronapplicationsecurity.
Web scraping prevention
BIG-IPASMhelpsyouprotectyourbrandbyshieldingyourwebsitesfromwebscrapingattacksthatcopyandreusevaluableintellectualpropertyandinformation.Bydifferentiatingbetweenahumanandabotbehindabrowser,BIG-IPASMprotectsagainstautomatedrequeststoobtaindata.PolicesforwebapplicationscanrecognizeanincreaseinrequestvolumesandalertBIG-IPASMtoreviewwhetherrequestsaredesired.KnownIPaddressespreviouslyfoundtowebscrapecanbeblacklistedfordetectionandblocking.
Integrated XML firewall
BIG-IPASMprovidesapplication-specificXMLfilteringandvalidationfunctionsthatensurethattheXMLinputofweb-basedapplicationsisproperlystructured.Itprovidesschemavalidation,commonattacksmitigation,andXMLparserdenial-of-serviceprevention.
DataGuard and cloaking
BIG-IPASMpreventstheleakageofsensitivedata(suchascreditcardnumbers,SocialSecuritynumbers,andmore)bystrippingoutthedataandmaskingtheinformation.Inaddition,BIG-IPASMhideserrorpagesandapplicationerrorinformation,preventinghackersfromdiscoveringtheunderlyingarchitectureandlaunchingatargetedattack.
Live update for attack signatures
Newsignaturesfromnewattacksarefrequentlyrequiredtoensureup-to-dateprotection.BIG-IPASMqueriestheF5signatureserviceonadailybasisandautomaticallydownloadsandappliesnewsignatures.
DATASHEET BIG-IP Application Security Manager
5
Antivirus security protocol support
ThemostwidelyusedsecurityprotocolforsendingandreceivinguploadedfilesforantivirusscanningisInternetContentAdaptationProtocol(ICAP).BIG-IPASMstripsanuploadedfilefromtheHTTPrequestandforwardsittoanantivirusserveroverICAP.Ifthefileisclean,theantivirusserverrespondstoaccepttherequest.Ifthefileisnotclean,BIG-IPASMblockstherequesttoprotectthenetworkfromvirusintrusion.
SMTP and FTP security
BIG-IPASMeasesthemanageabilityofFTPserverfarms.BIG-IPASMvalidatestheFTPprotocol,mitigatesbruteforceattacks,andcanalsowhitelisttheenabledFTPcommands.Inaddition,itcanenforcecommandlengthlimitsandpassive/activeconnections.ForSMTP,BIG-IPASMprovidesadditionalsecuritychecksattheperimeter.Italsosupportsgreylistingtopreventspam,enforcestheSMTPprotocol,blacklistsdangerousSMTPcommands,andmitigatesdirectoryharvestingattacks.Therate-limitingcapabilitiesofBIG-IPASMhelptofightDoSattacks.
Easy web services security
BIG-IPASMoffloadswebservicesencryptionanddecryptionaswellasdigitalsignaturesigningandvalidation.YoucaneasilymanageandconfigurethesefunctionsfromonelocationdirectlyontheBIG-IPsystem,includingtheabilitytoencryptordecryptSOAPmessagesandverifysignatureswithouttheneedtochangeapplicationcoding.
Policy Control
Websitesarediverse,complex,andconstantlychanging,requiringpolicieswithhundredsifnotthousandsofclearandpreciserules.BIG-IPASMhelpssecurityteamsmanagethesechangeswhilemaintainingthedelicatebalancebetweenensuringthestrictestsecuritycontrolspossibleandallowinglegitimateuseraccess.
Out-of-the-box protection
BIG-IPASMisequippedwithasetofpre-builtapplicationsecuritypoliciesthatprovideout-of-the-boxprotectionforcommonapplicationssuchasMicrosoftOutlookWebAccess,LotusDominoMailServer,OracleE-BusinessFinancials,andMicrosoftSharePoint.Inaddition,
Data
Web ApplicationServers
HTTP/S Traffic
Web ApplicationClients
BIG-IP ApplicationSecurity Manager
Internet
BIG-IP ASM provides comprehensive web application protection.
DATASHEET BIG-IP Application Security Manager
6
BIG-IPASMincludesarapiddeploymentpolicythatimmediatelysecuresanycustomerapplication.Thevalidatedpoliciesrequirezeroconfigurationtimeandserveasastartingpointformoreadvancedpolicycreation,basedonheuristiclearningandspecificcustomerapplicationsecurityneeds.
Staging
Stagingfunctionalityenablesupdatedpoliciestobetransparentfortestinginaliveenvironmentwithoutreducingcurrentprotectionlevels.BIG-IPASMmakesiteasytostagepoliciesusingattacksignatures,filetypes,URLs,andotherparameters,andtotestwhetherchangesareneededbeforeapolicyisenforced.Thepolicycanberedesignedandretesteduntilyouaresatisfiedandthepolicyisreadyforliveimplementation.
iRules integration
YoucandesigncustomiRules®tobetriggeredtorespondtoBIG-IPASMevents.Forexample,apolicyforablockingpagecanbeusedtoprotectmultiplewebsitesusinganiRulethatdisplaysacustomizedblockingpageforaspecificwebdomainwhenawebscrapingbotisdetected.ManyBIG-IPASMeventscanbecustomizedtoyouruniqueenvironment.
Real-time traffic policy builder
AttheheartofBIG-IPASMisthedynamicpolicybuilderengine,whichisresponsibleforautomaticself-learningandcreationofsecuritypolicies.Itautomaticallybuildsandmanagessecuritypoliciesaroundnewlydiscoveredvulnerabilities,deployingfast,agilebusinessprocesseswithoutmanualintervention.
WhentrafficflowsthroughBIG-IPASM,thepolicybuilderparsesrequestsandresponses,providingtheuniqueabilitytoinspectthebi-directionalflowoffullclientandapplicationtraffic—bothdataandprotocol.Byusingtheadvancedstatisticsandheuristicsengine,thepolicybuildercanfilteroutattacksandabnormaltraffic.Thepolicybuildercanalsoruninamodeinwhichitismadeawareofsiteupdates.Byparsingresponsesandrequests,itcandetectsitechangesandautomaticallyupdatethepolicyaccordingly,withoutanyuserintervention.
Integration for Agility and Adaptability
TheabilitytorespondtofrequentchangesinattackmethodsandyourITenvironmentisakeycomponentofwebapplicationsecurity.Byintegratingwiththird-partyproducts,BIG-IPASMprovidesadynamicandadaptablesecuritysolution.BIG-IPASMintegrateswithWhiteHat,Splunk,andOracleproductsforvulnerabilityassessment,auditing,andreal-timedatabasereportingtoprovidesecuritybreachreviews,attackprevention,andcompliance.
BIG-IP ASM provides pre-built, validated application security policies requiring no configuration and giving out-of-the-box protection for mission-critical applications.
DATASHEET BIG-IP Application Security Manager
7
Inadditiontointegratingwiththird-partyproducts,BIG-IPASMworkstogetherwithotherF5productstoprovideevengreaterbenefits,suchaswebapplicationaccelerationandaccesscontrol.
Vulnerability assessment with WhiteHat Sentinel
IntegrationwithWhiteHatSentineloffersauniquevulnerabilityassessmentservicethatcombinesautomatedtoolswithdedicated,highlyskilledapplicationsecurityexperts.ThroughintegrationwithBIG-IPASM,theindustry-leadingWhiteHatSentinelservicecanscanawebapplicationandcreateBIG-IPASMrulesthatspecificallyaddressthevulnerabilitiesdiscoveredintheapplication.Theresultisavalidatedandactionablevulnerabilityassessmentwithanear-instantaneousmitigationresponse,protectingtheapplicationwhiledevelopmentcorrectsthevulnerablecode.
Centralized reporting with Splunk
Splunk,alarge-scale,high-speedindexingandsearchsolution,provides15differentBIG-IPASM–specificreports.Thesereportsprovidevisibilityintoattackandtraffictrends,long-termdataaggregationforforensics,accelerationofincidentresponse,andidentificationofunanticipatedthreatsbeforeexposureoccurs.
Database reporting and security with Oracle
TheintegrationbetweenOracleDatabaseFirewallandBIG-IPASMistheleadingsolutionforwebapplicationanddatabasesecurity.Thisuniquesolutionsharescommonreportingforweb-basedattemptstogainaccesstosensitivedata,subvertthedatabase,orexecuteDoSattacksagainstthedatabase.Malicioususerscanbeisolatedwhilereportsandalertsprovideimmediatedetectionandinformationonthetypeandthreatofsuchattacks.
Acceleration and application security
WithBIG-IPASMandBIG-IP®WebAccelerator™runningtogetheronBIG-IP®LocalTrafficManager,™youcansecureapplicationswhilealsoacceleratingperformance.Thisefficient,multi-solutionplatformaddssecuritywithoutsacrificingperformance.Attacksarefilteredimmediatelyandwebapplicationsareacceleratedforimproveduserexperience.Sincethereisnoneedtointroduceanewappliancetothenetwork,yougetanall-in-onesolutionformaximumcosteffectiveness.
Granular access control and application security
BIG-IP®AccessPolicyManager™(APM)andBIG-IPASMbringaccesscontrolandapplicationsecurityserviceslayeredtogetheronyourBIG-IPsystem.WithBIG-IPAPM,youcanprovidecontext-aware,policy-basedaccesstouserswhilesimplifyingauthentication,authorization,andaccounting(AAA)managementforwebapplications.
DATASHEET BIG-IP Application Security Manager
8
The BIG-IP ASM Architecture
BIG-IP ASM runs on F5’s unique, purpose-built TMOS® architecture. TMOS is an intelligent,
modular, and high-performing platform that enhances every function of BIG-IP ASM. TMOS
delivers insight, flexibility, and control to help you intelligently protect your web applications.
TMOS delivers:
· SSL offload
· Caching
· Compression
· The ability to manipulate any application content on-the-fly, regardless of in- or outbound traffic
· TCP/IP optimization
· Advanced rate shaping and quality of service
· IPv6 Gateway™
· IP/port filtering
· VLAN support through a built-in switch
· Resource provisioning
· Route domains (virtualization)
· Remote authentication
· Security
· Display customized legal notices and security login banners
· Enforce admin session timeouts
· Securely log out of the BIG-IP system
· Comply with enhanced auditing and logging requirements
· Completely isolate and secure SSL certificates from being read or modified
BIG-IP ASM protects against various application attacks, including:
· Layer 7 DoS and DDoS
· Brute force
· Cross-site scripting (XSS)
· Cross Site Request Forgery
· SQL injection
· Parameter and HPP tampering
· Sensitive information leakage
· Session highjacking
· Buffer overflows
· Cookie manipulation
· Various encoding attacks
· Broken access control
· Forceful browsing
· Hidden fields manipulation
· Request smuggling
· XML bombs/DoS
Additional network and application security services include:
· PCI compliance reports
· Human readable policies (remote audit)
· Attack expert system
· Staging
· Reporting
· Web scraping prevention
· IP penalty enforcement
· iRules and Fast Cache™ integrations
· Report scheduling
· SSL accelerator
· Stateful layer 3–4 firewall
· Transparent and non-transparent reverse proxy
· Key management and failover handling
· SSL termination and re-encryption to web servers
· Web services encryption/decryption and digital signature verification
· VLAN segmentation
· DoS protection
· Client-side certificates support
· Client authentication via LDAP/RADIUS
· BIG-IP modules layering access control and web acceleration
· Dedicated management port
· Monitoring of URIs
· ICAP support
· Centralized advanced reporting with Splunk
· Database security with Oracle Database Firewall
Pre-built application security policies include:
· Lotus Domino 6.5
· OWA Exchange 2003
· OWA Exchange 2007 Oracle 10g Portal
· Oracle Application 11i
· PeopleSoft Portal 9
· Rapid Deployment security policy
· SAP NetWeaver 7
· SharePoint 2003
· SharePoint 2007
· ActiveSync v1.0, v2.0
· WhiteHat Sentinel Baseline
9
DATASHEET BIG-IP Application Security Manager
© 2010 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, FirePass, iControl, TMOS, and VIPRION are trademarks or registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. CS03-00009 1110
F5 Networks, Inc.Corporate [email protected]
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com
F5 Networks Ltd.Europe/Middle-East/[email protected]
F5 NetworksJapan [email protected]
DATASHEET BIG-IP Application Security Manager
BIG-IP ASM Platforms
BIG-IPASMisavailableasastandalonesolutionorasanadd-onmoduleforBIG-IPLocalTrafficManageronthe11050,8950,8900,6900,3900,and3600platforms,andasanadd-onmoduleforVIPRION®.Fordetailedphysicalspecifications,pleaserefertotheBIG-IP®SystemHardwareDatasheet.
F5 Services
F5isdedicatedtohelpingyougetthemostfromyourF5products.TofindouthowF5ServicescanhelpyouimproveyourROI,reduceadministrativetimeandexpense,andoptimizetheperformanceandreliabilityofyourITinfrastructure,[email protected].
More Information
TolearnmoreaboutBIG-IPASM,usethesearchfunctiononF5.comtofindtheseandotherresources.
Product overview
BIG-IP Application Security Manager
White paper
Manageable Application Security
Case study
Human Kinetics Boosts Website Performance, Security, and Innovation
Article
SC Magazine, 2010 Reader Trust Award for Best Web Application Security
11050 Series 8900 Series
6900 Series
3600 Series
3900 Series